Quantitative Verification of Masked Arithmetic Programs Against SideChannel Attacks
 1 Citations
 5.3k Downloads
Abstract
Power sidechannel attacks, which can deduce secret data via statistical analysis, have become a serious threat. Masking is an effective countermeasure for reducing the statistical dependence between secret data and sidechannel information. However, designing masking algorithms is an errorprone process. In this paper, we propose a hybrid approach combing type inference and modelcounting to verify masked arithmetic programs against sidechannel attacks. The type inference allows an efficient, lightweight procedure to determine most observable variables whereas modelcounting accounts for completeness. In case that the program is not perfectly masked, we also provide a method to quantify the security level of the program. We implement our methods in a tool QMVerif and evaluate it on cryptographic benchmarks. The experiment results show the effectiveness and efficiency of our approach.
1 Introduction
Sidechannel attacks aim to infer secret data (e.g. cryptographic keys) by exploiting statistical dependence between secret data and nonfunctional observations such as execution time [33], power consumption [34], and electromagnetic radiation [46]. They have become a serious threat in application domains such as cyberphysical systems. As a typical example, the power consumption of a device executing the instruction \(c=p\oplus k\) usually depends on the secret k, and this can be exploited via differential power analysis (DPA) [37] to deduce k.
Masking is one of the most widelyused and effective countermeasure to thwart sidechannel attacks. Masking is essentially a randomization technique for reducing the statistical dependence between secret data and sidechannel information (e.g. power consumption). For example, using Boolean masking scheme, one can mask the secret data k by applying the exclusiveor (\(\oplus \)) operation with a random variable r, yielding a masked secret data \(k\oplus r\). It can be readily verified that the distribution of \(k\oplus r\) is independent of the value of k when r is uniformly distributed. Besides Boolean masking scheme, there are other masking schemes such as additive masking schemes (e.g. \((k+r)\bmod n\)) and multiplicative masking schemes (e.g. \((k\times r)\bmod n\)). A variety of masking implementations such as AES and its nonlinear components (Sboxes) have been published over the years. However, designing effective and efficient masking schemes is still a notoriously difficult task, especially for nonlinear functions. This has motivated a large amount of work on verifying whether masked implementations, as either (hardware) circuits or (software) programs, are statistically independent of secret inputs. Typically, masked hardware implementations are modeled as (probabilistic) Boolean programs where all variables range over the Boolean domain (i.e. Open image in new window ), while masked software implementations, featuring a richer set of operations, require to be modeled as (probabilistic) arithmetic programs.
Verification techniques for masking schemes can be roughly classified into type system based approaches [3, 4, 5, 14, 16, 19, 38] and modelcounting based approaches [24, 25, 50]. The basic idea of type system based approaches is to infer a distribution type for observable variables in the program that are potentially exposed to attackers. From the type information one may be able to show that the program is secure. This class of approaches is generally very efficient mainly because of their static analysis nature. However, they may give inconclusive answers as most existing type systems do not provide completeness guarantees.
Modelcounting based approaches, unsurprisingly, encode the verification problem as a series of modelcounting problems, and typically leverage SAT/SMT solvers. The main advantage of this approach is its completeness guarantees. However, the size of the modelcounting constraint is usually exponential in the number of (bits of) random variables used in masking, hence the approach poses great challenges to its scalability. We mention that, within this category, some work further exploits Fourier analysis [11, 15], which considers the Fourier expansion of the Boolean functions. The verification problem can then be reduced to checking whether certain coefficients of the Fourier expansion are zero or not. Although there is no hurdle in principle, to our best knowledge currently modelcounting based approaches are limited to Boolean programs only.
While verification of masking for Boolean programs is wellstudied [24, 50], generalizing them to arithmetic programs brings additional challenges. First of all, arithmetic programs admit more operations which are absent from Boolean programs. A typical example is field multiplication. In the Boolean domain, it is nothing more than \(\oplus \) which is a bit operation. However for Open image in new window (typically \(n=8\) in cryptographic algorithm implementations), the operation is nontrivial which prohibits many optimization which would otherwise be useful for Boolean domains. Second, verification of arithmetic programs often suffers from serious scalability issues, especially when the modelcounting based approaches are applied. We note that transforming arithmetic programs into equivalent Boolean versions is theoretically possible, but suffer from several deficiencies: (1) one has to encode complicated arithmetic operations (e.g. finite field multiplication) as bitwise operations; (2) the resulting Boolean program needs to be checked against higherorder attacks which are supposed to observe multiple observations simultaneously. This is a far more difficult problem. Because of this, we believe such as approach is practically, if not infeasible, unfavourable.
Perfect masking is ideal but not necessarily holds when there are flaws or only a limited number of random variables are allowed for efficiency consideration. In case that the program is not perfectly masked (i.e., a potential side channel does exist), naturally one wants to tell how severe it is. For instance, one possible measure is the resource the attacker needs to invest in order to infer the secret from the side channel. For this purpose, we adapt the notion of Quantitative Masking Strength, with which a correlation of the number of power traces to successfully infer secret has been established empirically [26, 27].
Main Contributions. We mainly focus on the verification of masked arithmetic programs. We advocate a hybrid verification method combining type system based and modelcounting based approaches, and provide additional quantitative analysis. We summarize the main contributions as follows.

We provide a hybrid approach which integrates type system based and modelcounting based approaches into a framework, and support a sound and complete reasoning of masked arithmetic programs.

We provide quantitative analysis in case when the masking is not effective, to calculate a quantitative measure of the information leakage.

We provide various heuristics and optimized algorithms to significantly improve the scalability of previous approaches.

We implement our approaches in a software tool and provide thorough evaluations. Our experiments show orders of magnitude of improvement with respect to previous verification methods on common benchmarks.
We find, perhaps surprisingly, that for modelcounting, the widely adopted approaches based on SMT solvers (e.g. [24, 25, 50]) may not be the best approach, as our experiments suggest that an alternative bruteforce approach is comparable for Boolean programs, and significantly outperforms for arithmetic programs.
Related Work. The dthreshold probing model is the de facto standard leakage model for orderd power sidechannel attacks [32]. This paper focuses on the case that \(d=1\). Other models like noise leakage model [17, 45], bounded moment model [6], and threshold probing model with transitions/glitch [15, 20] could be reduced to the threshold probing model, at the cost of introducing higher orders [3]. Other work on side channels such as executiontime, faults, and cache do exist ([1, 2, 7, 8, 12, 28, 31, 33] to cite a few), but is orthogonal to our work.
Type systems have been widely used in the verification of side channel attacks with early work [9, 38], where masking compilers are provided which can transform an input program into a functionally equivalent program that is resistant to firstorder DPA. However, these systems either are limited to certain operations (i.e., \(\oplus \) and table lookup), or suffer from unsoundness and incompleteness under the threshold probing model. To support verification of higherorder masking, Barthe et al. introduced the notion of noninterference (NI, [3]), and strong tnoninterference (SNI, [4]), which were extended to give a unified framework for both software and hardware implementations in maskVerif [5]. Further work along this line includes improvements for efficiency [14, 19], generalization for assemblylevel code [15], and extensions with glitches for hardware programs [29]. As mentioned earlier, these approaches are incomplete, i.e., secure programs may fail to pass their verification.
[24, 25] proposed a modelcounting based approach for Boolean programs by leveraging SMT solvers, which is complete but limited in scalability. To improve efficiency, a hybrid approach integrating typebased and modelcounting based approaches [24, 25] was proposed in [50], which is similar to the current work in spirit. However, it is limited to Boolean programs and qualitative analysis only. [26, 27] extended the approach of [24, 25] for quantitative analysis, but is limited to Boolean programs. The current work not only extends the applicability but also achieves significant improvement in efficiency even for Boolean programs (cf. Sect. 5). We also find that solving modelcounting via SMT solvers [24, 50] may not be the best approach, in particular for arithmetic programs.
Our work is related to quantitative information flow (QIF) [13, 35, 43, 44, 49] which leverages notions from information theory (typically Shannon entropy and mutual information) to measure the flow of information in programs. The QIF framework has also been specialized to sidechannel analysis [36, 41, 42]. The main differences are, first of all, QIF targets fullyfledged programs (including branching and loops) so program analysis techniques (e.g. symbolic execution) are needed, while we deal with more specialized (transformed) masked programs in straightline forms; second, to measure the information leakage quantitatively, our measure is based on the notion QMS which is correlated with the number of power traces needed to successfully infer the secret, while QIF is based on a more general sense of information theory; third, for calculating such a measure, both works rely on modelcounting. In QIF, the constraints over the input are usually linear, but the constraints in our setting involve arithmetic operations in rings and fields. Randomized approximate schemes can be exploited in QIF [13] which is not suitable in our setting. Moreover, we mention that in QIF, input variables should in principle be partitioned into public and private variables, and the former of which needs to be existentially quantified. This was briefly mentioned in, e.g., [36], but without implementation.
2 Preliminaries
Let us fix a bounded integer domain \(\mathbb {D}=\{0,\cdots ,2^n1\}\), where n is a fixed positive integer. Bitwise operations are defined over \(\mathbb {D}\), but we shall also consider arithmetic operations over \(\mathbb {D}\) which include \(+, , \times \) modulo \(2^n\) for which \(\mathbb {D}\) is consider to be a ring and the Galois field multiplication \(\odot \) where \(\mathbb {D}\) is isomorphic to Open image in new window (or simply Open image in new window ) for some irreducible polynomial p. For instance, in AES one normally uses Open image in new window and \(p(x)=x^8 + x^4 +x^3 + x^2 + 1\).
2.1 Cryptographic Programs
Given a program P, let \(X=X_p \uplus X_k\uplus X_i\uplus X_r\) denote the set of variables used in P, where \(X_p\), \(X_k\) and \(X_i\) respectively denote the set of public input, private input and internal variables, and \(X_r\) denotes the set of (uniformly distributed) random variables for masking private variables. We assume that the program is given in the single static assignment (SSA) form (i.e., each variable is defined exactly once) and each expression uses at most one operator. (One can easily transform an arbitrary straightline program into an equivalent one satisfying these conditions.) For each assignment \(x\leftarrow e\) in P, the computation \(\mathcal {E}(x)\) of x is an expression obtained from e by iteratively replacing all the occurrences of the internal variables in e by their defining expressions in P. SSA form guarantees that \(\mathcal {E}(x)\) is welldefined.
Semantics. A valuation is a function \(\sigma :X_p\cup X_k\rightarrow \mathbb {D}\) assigning to each variable \(x\in X_p\cup X_k\) a value \(c\in \mathbb {D}\). Let \(\varTheta \) denote the set of all valuations. Two valuations \(\sigma _1,\sigma _2\in \varTheta \) are Yequivalent, denoted by \(\sigma _1\approx _{Y}\sigma _2\), if \(\sigma _1(x)=\sigma _2(x)\) for all \(x\in Y\).
Given an expression e in terms of \(X_p\cup X_k\cup X_r\) and a valuation \(\sigma \in \varTheta \), we denote by \(e(\sigma )\) the expression obtained from e by replacing all the occurrences of variables \(x\in X_p\cup X_k\) by their values \(\sigma (x)\), and denote by Open image in new window the distribution of e (with respect to the uniform distribution of random variables \(e(\sigma )\) may contain). Concretely, Open image in new window is the probability of the expression \(e(\sigma )\) being evaluated to v for each \(v\in \mathbb {D}\). For each variable \(x\in X\) and valuation \(\sigma \in \varTheta \), we denote by Open image in new window the distribution Open image in new window . The semantics of the program P is defined as a (partial) function Open image in new window which takes a valuation \(\sigma \in \varTheta \) and an internal variable \(x\in X_i\) as inputs, returns the distribution Open image in new window of x.
Threat Models and Security Notions. We assume that the adversary has access to public input \(X_p\), but not to private input \(X_k\) or random variables \(X_r\), of a program P. However, the adversary may have access to an internal variable \(x\in X_i\) via sidechannels. Under these assumptions, the goal of the adversary is to deduce the information of \(X_k\).
Definition 1

x is uniform in P, denoted by x\(\mathbf{UF}\), if Open image in new window is uniform for all \(\sigma \in \varTheta \).

x is statistically independent in P, denoted by x\(\mathbf{SI}\), if Open image in new window for all \((\sigma _1,\sigma _2)\in \varTheta ^2_{X_p}\), where \(\varTheta ^2_{X_p}:=\{(\sigma _1,\sigma _2)\in \varTheta \times \varTheta \mid \sigma _1\approx _{X_p}\sigma _2\}\).
Proposition 1
If the program P is x\(\mathbf{UF}\), then P is x\(\mathbf{SI}\).
Definition 2
For a program P, a variable x is perfectly masked (a.k.a. secure under 1threshold probing model [32]) in P if it is x\(\mathbf{SI}\), otherwise x is leaky.
P is perfectly masked if all internal variables in P are perfectly masked.
2.2 Quantitative Masking Strength
When a program is not perfectly masked, it is important to quantify how secure it is. For this purpose, we adapt the notion of Quantitative Masking Strength (QMS) from [26, 27] to quantify the strength of masking countermeasures.
Definition 3
The quantitative masking strength \(\mathtt{QMS}_{x}\) of a variable \(x\in X\), is defined as: Open image in new window
Accordingly, the quantitative masking strength of the program P is defined by \(\mathtt{QMS}_P:=\min _{x\in X_i}{\mathtt{QMS}_{x}}\).
Example 1
Let us consider the program in Fig. 1, which implements a buggy Cube in Open image in new window from [47]. Given a secret key k, to avoid firstorder sidechannel attacks, k is masked by a random variable \(r_0\) leading to two shares \(x= k\oplus r_0\) and \(r_0\). Cube\((k,r_0,r_1)\) returns two shares \(x_7\) and \(x_9\) such that \(x_7\oplus x_9=k^3:=k\odot k\odot k\), where \(r_1\) is another random variable.
Cube computes \(k\odot k\) by \(x_0=x\odot x\) and \(x_1=r_0\odot r_0\) (Lines 3–4), as \(k\odot k=x_0\oplus x_1\). Then, it computes \(k^3\) by a secure multiplication of two pairs of shares \((x_0,x_1)\) and \((x,r_0)\) using the random variable \(r_1\) (Lines 5–12). However, this program is vulnerable to firstorder sidechannel attacks, as it is neither \(x_2\)\(\mathbf{SI}\) nor \(x_3\)\(\mathbf{SI}\). As shown in [47], we shall refresh \((x_0,x_1)\) before computing \(k^2\odot k\) by inserting \(x_0=x_0\oplus r_2\) and \(x_1=x_1\oplus r_2\) after Line 4, where \(r_2\) is a random variable. We use this buggy version as a running example to illustrate our techniques.
As setup for further use, we have: \(X_p=\emptyset \), \(X_k=\{k\}\), \(X_r=\{r_0,r_1\}\) and \(X_i=\{x,x_0,\cdots ,x_9\}\). The computations \(\mathcal {E}(\cdot )\) of internal variables are: Open image in new window
3 Three Key Techniques
In this section, we introduce three key techniques: type system, modelcounting based reasoning and reduction techniques, which will be used in our algorithm.
3.1 Type System
We present a type system for formally inferring distribution types of internal variables, inspired by prior work [3, 14, 40, 50]. We start with some basic notations.
Definition 4
(Dominant variables). Given an expression e, a random variable r is called a dominant variable of e if the following two conditions hold: (i) r occurs in e exactly once, and (ii) each operator on the path between the leaf r and the root in the abstract syntax tree of e is from either \(\{\oplus ,\lnot ,+,\}\) or \(\{\odot \}\) such that one of the children of the operator is a nonzero constant.
Remark that in Definition 4, for efficiency consideration, we take a purely syntactic approach meaning that we do not simplify e when checking the condition (i) that r occurs once. For instance, x is not a dominant variable in \(((x\oplus y)\oplus x)\oplus x\), although intuitively e is equivalent to \(y\oplus x\).
Given an expression e, let \(\mathsf{Var}(e)\) be the set of variables occurring in e, and \(\mathsf{RVar}(e):=\mathsf{Var}(e)\cap X_r\). We denote by \(\mathsf{Dom}(e)\subseteq \mathsf{RVar}(e)\) the set of all dominant random variables of e, which can be computed in linear time in the size of e.
Proposition 2
Given a program P with \(\mathcal {E}(x)\) defined for each variable x of P, if \(\mathsf{Dom}(\mathcal {E}(x))\ne \emptyset \), then P is x\(\mathbf{UF}\).
Definition 5

\(\mathcal {E}(x):\mathsf{RUD}\) meaning that the program is x\(\mathbf{UF}\);

\(\mathcal {E}(x):\mathsf{SID}\) meaning that the program is x\(\mathbf{SI}\);

\(\mathcal {E}(x):\mathsf{SDD}\) meaning that the program is not x\(\mathbf{SI}\);

\(\mathcal {E}(x):\mathsf{UKD}\) meaning that the distribution type of x is unknown.
Type judgements, as usual, are defined in the form of \(\vdash e:\tau ,\) where e is an expression in terms of \(X_r\cup X_k\cup X_p\), and \(\tau \in \mathcal {T}\) denotes the distribution type of e. A type judgement \(\vdash e:\mathsf{RUD}\) (resp. \(\vdash e:\mathsf{SID}\) and \(\vdash e:\mathsf{SDD}\)) is valid iff P is x\(\mathbf{UF}\) (resp. x\(\mathbf{SI}\) and not x\(\mathbf{SI}\)) for all variables x such that \(\mathcal {E}(x)=e\). A sound proof system for deriving valid type judgements is given in Fig. 2.
Rule (Dom) states that e containing some dominant variable has type \(\mathsf{RUD}\) (cf. Proposition 2). Rule (Com) captures the commutative law of operators \(\star \in \mathcal {O}\). Rules (Ide\(_i\)) for \(i=1,2,3,4\) are straightforward. Rule (NoKey) states that e has type \(\mathsf{SID}\) if e does not use any private input. Rule (Key) states that each private input has type \(\mathsf{SDD}\). Rule (Sid\(_{1}\)) states that \(e_1\circ e_2\) for \(\circ \in \{\wedge ,\vee ,\odot ,\times \}\) has type \(\mathsf{SID}\), if both \(e_1\) and \(e_2\) have type \(\mathsf{RUD}\), and \(e_1\) has a dominant variable r which is not used by \(e_2\). Indeed, \(e_1\circ e_2\) can be seen as \(r\circ e_2\), then for each valuation \(\eta \in \varTheta \), the distributions of r and \(e_2(\eta )\) are independent. Rule (Sid\(_{2}\)) states that \(e_1\bullet e_2\) for \(\bullet \in \mathcal {O}^*\) has type \(\mathsf{SID}\), if both \(e_1\) and \(e_2\) have type \(\mathsf{SID}\) (as well as its subtype \(\mathsf{RUD}\)), and the sets of random variables used by \(e_1\) and \(e_2\) are disjoint. Likewise, for each valuation \(\eta \in \varTheta \), the distributions on \(e_1(\eta )\) and \(e_2(\eta )\) are independent. Rule (Sdd) states that \(e_1\circ e_2\) for \(\circ \in \{\wedge ,\vee ,\odot ,\times \}\) has type \(\mathsf{SDD}\), if \(e_1\) has type \(\mathsf{SDD}\), \(e_2\) has type \(\mathsf{RUD}\), and \(e_2\) has a dominant variable r which is not used by \(e_1\). Intuitively, \(e_1\circ e_2\) can be safely seen as \(e_1\circ r\).
Finally, if no rule is applicable to an expression e, then e has unknown distribution type. Such a type is needed because our type system is—by design—incomplete. However, we expect—and demonstrate empirically—that for cryptographic programs, most internal variables have a definitive type other than \(\mathsf{UKD}\). As we will show later, to resolve \(\mathsf{UKD}\)typed variables, one can resort to modelcounting (cf. Sect. 3.2).
Theorem 1
If \(\vdash \mathcal {E}(x):\mathsf{RUD}\) (resp. \(\vdash \mathcal {E}(x):\mathsf{SID}\) and \(\vdash \mathcal {E}(x):\mathsf{SDD}\)) is valid, then P is x\(\mathbf{UF}\) (resp. x\(\mathbf{SI}\) and not x\(\mathbf{SI}\)).
Example 2
3.2 ModelCounting Based Reasoning
Recall that for \(x\in X_i\), Open image in new window .
To compute \(\mathtt{QMS}_{x}\), one naive approach is to use bruteforce to enumerate all possible valuations \(\sigma \) and then to compute distributions Open image in new window again by enumerating the assignments of random variables. This approach is exponential in the number of (bits of) variables in \(\mathcal {E}(x)\).

Program logic (\(\varTheta _f\) and \(\varTheta _f'\)): for every \(f:\mathsf{RVar}(\mathcal {E}(x))\rightarrow \mathbb {D}\), \(\varTheta _f\) encodes \(c_f=\mathcal {E}(x)\) into a logical formula with each occurrence of a random variable \(r\in \mathsf{RVar}(\mathcal {E}(x))\) being replaced by its value f(r), where \(c_f\) is a fresh variable. There are \(\mathbb {D}^{\mathsf{RVar}(\mathcal {E}(x))}\) distinct copies, but share the same \(X_p\) and \(X_k\). \(\varTheta _f'\) is similar to \(\varTheta _f\) except that all variables \(k\in X_k\) and \(c_f\) are replaced by fresh variables \(k'\) and \(c_f'\) respectively.

Boolean to integer (\(\varTheta _\mathtt{b2i}\) and \(\varTheta _\mathtt{b2i}'\)): \(\varTheta _\mathtt{b2i}:=\bigwedge _{f:\mathsf{RVar}(\mathcal {E}(x))\rightarrow \mathbb {D}} I_f= (c=c_f) \ ? \ 1: 0\). It asserts that for each \(f:\mathsf{RVar}(\mathcal {E}(x))\rightarrow \mathbb {D}\), a fresh integer variable \(I_f\) is 1 if \(c=c_f\), otherwise 0. \(\varTheta _\mathtt{b2i}'\) is similar to \(\varTheta _\mathtt{b2i}\) except that \(I_f\) and \(c_f\) are replaced by \(I_f'\) and \(c_f'\) respectively.

Different sums (\(\varTheta _\mathtt{diff}^q)\): \(\sum _{f:\mathsf{RVar}(\mathcal {E}(x))\rightarrow \mathbb {D}} I_f\sum _{f:\mathsf{RVar}(\mathcal {E}(x))\rightarrow \mathbb {D}}I_f' >\varDelta _x^q\).
Theorem 2
\(\varPsi _x^q\) is unsatisfiable iff \(\mathtt{QMS}_x\ge q\), and the size of \(\varPsi _x^q\) is polynomial in P and exponential in \(\mathsf{RVar}(\mathcal {E}(x))\) and \(\mathbb {D}\).
Based on Theorem 2, we present an algorithm for computing \(\mathtt{QMS}_{x}\) in Sect. 4.2.
Note that the qualitative variant of \(\varPsi _x^q\) (i.e. \(q=1\)) can be used to decide whether x is statistically independent by checking whether \(\mathtt{QMS}_x=1\) holds. This will be used in Algorithm 1.
Example 3
3.3 Reduction Heuristics
In this section, we provide various heuristics to reduce the size of formulae. These can be both applied to type inference and modelcounting based reasoning.
Ineffective Variable Elimination. A variable x is ineffective in an expression e if for all functions \(\sigma _1,\sigma _2:\mathsf{Var}(e)\rightarrow \mathbb {D}\) that agree on their values on the variables \(\mathsf{Var}(e)\setminus \{x\}\), e has same values under \(\sigma _1\) and \(\sigma _2\). Otherwise, we say x is effective in e. Clearly if x is ineffective in e, then e and e[c/x] are equivalent for any \(c\in \mathbb {D}\) while e[c/x] contains less variables, where e[c/x] is obtained from e by replacing all occurrences of x with c. Checking whether x is effective or not in e can be performed by a satisfiability checking of the logical formula: \(e[c/x]\ne e[c'/x]\). Obviously, \(e[c/x]\ne e[c'/x]\) is satisfiable iff x is effective in e.
Algebraic Laws. For every subexpression \(e'\) of the form \(e_1\oplus e_1, e_2e_2,e\circ 0\) or \(0\circ e\) with \(\circ \in \{\times ,\odot ,\wedge \}\) in the expression e, it is safe to replace \(e'\) by 0, namely, e and \(e[0/e']\) are equivalent. Note that the constant 0 is usually introduced by instantiating ineffective variables by 0 when eliminating ineffective variables.
Dominated Subexpression Elimination. Given an expression e, if \(e'\) is a rdominated subexpression in e and r does not occur in e elsewhere, then it is safe to replace each occurrence of \(e'\) in e by the random variable r. Intuitively, \(e'\) as a whole can be seen as a random variable when evaluating e. Besides this elimination, we also allow to add metetheorems specifying forms of subexpressions \(e'\) that can be replaced by a fresh variable. For instance, \(r\oplus ((2\times r)\wedge e'')\) in e, when the random variable r does not appear elsewhere, can be replaced by the random variable r.
Let \(\widehat{e}\) denote the expression obtained by applying the above heuristics on the expression e.
Transformation Oracle. We suppose there is an oracle \(\varOmega \) which, whenever possible, transforms an expression e into an equivalent expression \(\varOmega (e)\) such that the type inference can give a non\(\mathsf{UKD}\) type to \(\varOmega (e)\).
Lemma 1
\(\mathcal {E}(x)(\sigma )\) and \(\widehat{\mathcal {E}(x)}(\sigma )\) have same distribution for any \(\sigma \in \varTheta \).
Example 4
Consider the variable \(x_6\) in the program in Fig. 1, \((k\oplus r_0)\) is \(r_0\)dominated subexpression in \(\mathcal {E}(x_6)=((k\oplus r_0)\odot (k\oplus r_0))\odot (k\oplus r_0)\), then, we can simplify \(\mathcal {E}(x_6)\) into \(\widehat{\mathcal {E}(x_6)}=r_0\odot r_0 \odot r_0\). Therefore, we can deduce that \(\vdash \mathcal {E}(x_6):\mathsf{SID}\) by applying the NoKey rule on \(\widehat{\mathcal {E}(x_6)}\).
4 Overall Algorithms
4.1 Perfect Masking Verification
Given a program P with the sets of public (\(X_p\)), secret (\(X_k\)), random (\(X_r\)) and internal \((X_i)\) variables, PMChecking, given in Algorithm 1, checks whether P is perfectly masked or not. It iteratively traverses all the internal variables. For each variable \(x\in X_i\), it first applies the type system to infer its distribution type. If \(\vdash \mathcal {E}(x):\tau \) for \(\tau \ne \mathsf{UKD}\) is valid, then the result is conclusive. Otherwise, we will simplify the expression \(\mathcal {E}(x)\) and apply the type inference to \(\widehat{\mathcal {E}(x)}\).
If it fails to resolve the type of x and \(\varOmega (\widehat{\mathcal {E}(x)})\) does not exist, we apply the modelcounting based (SMTbased or bruteforce) approach outlined in Sect. 3.2, in particular, to check the expression \(\widehat{\mathcal {E}(x)}\). There are two possible outcomes: either \(\widehat{\mathcal {E}(x)}\) is \(\mathsf{SID}\) or \(\mathsf{SDD}\). We enforce \(\mathcal {E}(x)\) to have the same distributional type as \(\widehat{\mathcal {E}(x)}\) which might facilitate the inference for other expressions.
Theorem 3
P is perfectly masked iff \(\vdash \mathcal {E}(x):\mathsf{SDD}\) is not valid for any \(x\in X_i\), when Algorithm 1 terminates.
We remark that, if the modelcounting is disabled in Algorithm 1 where \(\mathsf{UKD}\)typed variables are interpreted as potentially leaky, Algorithm 1 would degenerate to a type inference procedure that is fast and potentially more accurate than the one in [3], owing to the optimization introduced in Sect. 3.3.
4.2 QMS Computing
QMSComputing, given in Algorithm 2, computes \(\mathtt{QMS}_x\) for each \(x\in X_i\). It first invokes the function PMChecking for perfect masking verification. For \(\mathsf{SID}\)typed variable \(x\in X_i\), we can directly infer that \(\mathtt{QMS}_x\) is 1. For each leaky variable \(x\in X_i\), we first check whether \(\widehat{\mathcal {E}(x)}\) uses any random variables or not. If it does not use any random variables, we directly deduce that \(\mathtt{QMS}_x\) is 0. Otherwise, we use either the bruteforce enumeration or an SMTbased binary search to compute \(\mathtt{QMS}_x\). The former one is trivial, hence not presented in Algorithm 2. The latter one is based on the fact that \(\mathtt{QMS}_x=\frac{i}{2^{n\cdot \mathsf{RVar}(\widehat{\mathcal {E}(x)})}}\) for some integer \(0\le i\le 2^{n\cdot \mathsf{RVar}(\widehat{\mathcal {E}(x)})}\). Hence the whileloop in Algorithm 2 executes at most \(\mathbf{O}(n\cdot \mathsf{RVar}(\widehat{\mathcal {E}(x)}))\) times for each x.
Our SMTbased binary search for computing QMS values is different from the one proposed by Eldib et al. [26, 27]. Their algorithm considers Boolean programs only and computes QMS values by directly binary searching the QMS value q between 0 to 1 with a predefined step size \(\epsilon \) (\(\epsilon =0.01\) in [26, 27]). Hence, it only approximate the actual QMS value and the binary search iterates \(\mathbf{O}(\log (\frac{1}{\epsilon }))\) times for each internal variable. Our approach works for more general arithmetic programs and computes the accurate QMS value.
5 Practical Evaluation
We have implemented our methods in a tool named QMVerif, which uses Z3 [23] as the underlying SMT solver (fixed size bitvector theory). We conducted experiments perfect masking verification and QMS computing on both Boolean and arithmetic programs. Our experiments were conducted on a server with 64bit Ubuntu 16.04.4 LTS, Intel Xeon CPU E52690 v4, and 256 GB RAM.
5.1 Experimental Results on Boolean Programs
We use the benchmarks from the publicly available cryptographic software implementations of [25], which consists of 17 Boolean programs (P1P17). We conducted experiments on P12P17, which are the regenerations of MACKeccak reference code submitted to the SHA3 competition held by NIST. (We skipped tiny examples P1P11 which can be verified in less than 1 second.) P12P17 are transformed into programs in straightline forms.
Results on masked Boolean programs for perfect masking verification.
Name  \(X_i\)  \(\sharp \mathsf{SDD}\)  \(\sharp \)Count  QMVerif  SCInfer [50]  

SMT  B.F.  
P12  197k  0  0  2.9s  2.7s  3.8s 
P13  197k  4.8k  4.8k  2m 8s  2m 6s  47m 8s 
P14  197k  3.2k  3.2k  1m 58s  1m 45s  53m 40s 
P15  198k  1.6k  3.2k  2m 25s  2m 43s  69m 6s 
P16  197k  4.8k  4.8k  1m 50s  1m 38s  61m 15s 
P17  205k  17.6k  12.8k  1m 24s  1m 10s  121m 28s 
We can observe that: (1) our reduction heuristics significantly improve performance compared with SCInfer [50] (generally 22–104 times faster for imperfect masked programs; note that SCInfer is based on SMT modelcounting), and (2) the performance of the SMTbased and bruteforce counting methods for verifying perfect masking of Boolean programs is largely comparable.
Results of masked Boolean programs for computing QMS Values.
Name  \(\sharp \mathsf{SDD}\)  QMVerif  

\(\sharp \)Iter  Time  Min  Max  Avg.  \(\sharp \)Iter  SMT  B.F.  Min  Max  Avg.  
P13  4.8k  480k  97m 23s  0.00  1.00  0.98  0  0  0  0.00  1.00  0.98 
P14  3.2k  160k  40m 13s  0.51  1.00  0.99  9.6k  2m 56s  39s  0.50  1.00  0.99 
P15  1.6k  80k  23m 26s  0.51  1.00  1.00  4.8k  1m 36s  1m 32s  0.50  1.00  1.00 
P16  4.8k  320k  66m 27s  0.00  1.00  0.98  6.4k  1m 40s  8s  0.00  1.00  0.98 
P17  17.6k  1440k  337m 46s  0.00  1.00  0.93  4.8k  51s  1s  0.00  1.00  0.94 
Results of masked arithmetic programs, where P.M.V. denotes perfect masking verification, B.F. denotes bruteforce, 12 S.F. denotes that Z3 emits segmentation fault after verifying 12 internal variables.
Description  \(X_i\)  \(\sharp \mathsf{SDD}\)  \(\sharp \)Count  P.M.V.  QMS  

SMT  B.F.  SMT  B.F.  Value  
SecMult [47]  11  0  0  \(\approx \)0s  \(\approx \)0s      1 
Sbox (4) [22]  66  0  0  \(\approx \)0s  \(\approx \)0s      1 
B2A [30]  8  0  1  17s  2s      1 
A2B [30]  46  0  0  \(\approx \)0s  \(\approx \)0s      1 
B2A [21]  82  0  0  \(\approx \)0s  \(\approx \)0s      1 
A2B [21]  41  0  0  \(\approx \)0s  \(\approx \)0s      1 
B2A [18]  11  0  1  1m 35s  10m 59s      1 
B2A [10]  16  0  0  \(\approx \)0s  \(\approx \)0s      1 
Sbox [47]  45  0  0  \(\approx \)0s  \(\approx \)0s      1 
Sbox [48]  772  2  1  \(\approx \)0s  \(\approx \)0s  0.9s  \(\approx \)0s  0 
\(k^{3}\)  11  2  2  96m 59s  0.2s  32s  0.988  
\(k^{12}\)  15  2  2  101m 34s  0.3s  27s  0.988  
\(k^{15}\)  21  4  4  93m 27s (12 S.F.)  28m 17s  \(\approx \)64h  0.988, 0.980  
\(k^{240}\)  23  4  4  93m 27s (12 S.F.)  30m 9s  \(\approx \)64h  0.988, 0.980  
\(k^{252}\)  31  4  4  93m 27s (12 S.F.)  32m 58s  \(\approx \)64h  0.988, 0.980  
\(k^{254}\)  39  4  4  93m 27s (12 S.F.)  30m 9s  \(\approx \)64h  0.988, 0.980 
We can observe that (1) the bruteforce method outperforms the SMTbased method for computing QMS values, and (2) our tool QMVerif using SMTbased methods takes significant less iterations and time, as our binary search step depends on the number of bits of random variables, but not a predefined value (e.g. 0.01) as used in [24, 25]. In particular, the QMS values of leaky variables whose expressions contain no random variables, e.g., P13 and P17, do not need binary search.
5.2 Experimental Results on Arithmetic Programs
We collect arithmetic programs which represent nonlinear functions of masked cryptographic software implementations from the literature. In Table 3, Column 1 lists the name of the functions under consideration, where \(k^{3},\ldots , k^{254}\) are buggy fragments of firstorder secure exponentiation [47] without the first RefreshMask function; A2B and B2A are shorthand for ArithmeticToBoolean and BooleanToArithmetic, respectively. Columns 2–4 show basic statistics. For all the experiments, we set \(\mathbb {D}=\{0,\cdots ,2^81\}\).
Perfect Masking Verification. Columns 5–6 in Table 3 show the results of perfect masking verification on these programs using SMTbased and bruteforce methods respectively.
We observe that (1) some \(\mathsf{UKD}\)typed variables (e.g., in B2A [30], B2A [18] and Sbox [48], meaning that the type inference is inconclusive in these cases) are resolved (as \(\mathsf{SID}\)type) by modelcounting, and (2) on the programs (except B2A [18]) where modelcounting based reasoning is required (i.e., \(\sharp \)Count is nonzero), the bruteforce method is significantly faster than the SMTbased method. In particular, for programs \(k^{15},\ldots , k^{254}\), Z3 crashed with segment fault after verifying 12 internal variables in 93 min, while the bruteforce method comfortably returns the result. To further explain the performance of these two classes of methods, we manually examine these programs and find that the expressions of the \(\mathsf{UKD}\)typed variable (using type inference) in B2A [18] (where the SMTbased method is faster) only use exclusiveor (\(\oplus \)) operations and one subtraction (−) operation, while the expressions of the other \(\mathsf{UKD}\)typed variables (where the bruteforce method is faster) involve the finite field multiplication (\(\odot \)).
We remark that the transformation oracle and metatheorems (cf. Sect. 3.3) are only used for A2B [30] by manually utilizing the equations of Theorem 3 in [30]. We have verified the correctness of those equations by SMT solvers. In theory modelcounting based reasoning could verify A2B [30]. However, in our experiments both SMTbased and bruteforce methods failed to terminate in 3 days, though bruteforce methods had verified more internal variables. For instance, on the expression \(((2\times r_1) \oplus (x  r) \oplus r_1) \wedge r\) where x is a private input and \(r,r_1\) are random variables, Z3 cannot terminate in 2 days, while bruteforce methods successfully verified in a few minutes. We also tested the SMT solver Boolector [39] (the winner of SMTCOMP 2018 on QFBV, Main Track), which crashed with being out of memory. Undoubtedly more systematic experiments are required in the future, but our results suggest that, contrary to the common belief, currently SMTbased approaches are not promising, which calls for more scalable techniques.
Computing QMS. Columns 7–9 in Table 3 show the results of computing QMS values, where Column 7 (resp. Column 8) shows the time of the SMTbased (resp. bruteforce) method for computing QMS values (excluding the time for perfect masking verification) and Column 9 shows QMS values of all leaky variables (note that duplicated values are omitted).
6 Conclusion
We have proposed a hybrid approach combing type inference and modelcounting to verify masked arithmetic programs against firstorder sidechannel attacks. The type inference allows an efficient, lightweight procedure to determine most observable variables whereas modelcounting accounts for completeness, bringing the best of two worlds. We also provided modelcounting based methods to quantify the amount of information leakage via side channels. We have presented the tool support QMVerif which has been evaluated on standard cryptographic benchmarks. The experimental results showed that our method significantly outperformed stateoftheart techniques in terms of both accuracy and scalability.
Future work includes further improving SMTbased model counting techniques which currently provide no better, if not worse, performance than the naïve brutalforce approach. Furthermore, generalizing the work in the current paper to the verification of higherorder masking schemes remains to be a very challenging task.
Footnotes
 1.
Note that addition/subtraction over Galois fields is essentially bitwise exclusiveor.
References
 1.Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constanttime implementations. In: USENIX Security Symposium, pp. 53–70 (2016)Google Scholar
 2.Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of selfcomposition for proving the absence of timing channels. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 362–375 (2017)CrossRefGoogle Scholar
 3.Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B., Strub, P.Y.: Verified proofs of higherorder masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, Part I, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_18CrossRefGoogle Scholar
 4.Barthe, G., et al.: Strong noninterference and typedirected higherorder masking. In: ACM Conference on Computer and Communications Security, pp. 116–129 (2016)Google Scholar
 5.Barthe, G., Belaïd, S., Fouque, P., Grégoire, B.: maskVerif: a formal tool for analyzing software and hardware masked implementations. IACR Cryptology ePrint Archive 2018:562 (2018)Google Scholar
 6.Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.X., Strub, P.Y.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, Part I, vol. 10210, pp. 535–566. Springer, Cham (2017). https://doi.org/10.1007/9783319566207_19CrossRefGoogle Scholar
 7.Barthe, G., Dupressoir, F., Fouque, P., Grégoire, B., Zapalowicz, J.: Synthesis of fault attacks on cryptographic implementations. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1016–1027 (2014)Google Scholar
 8.Barthe, G., Köpf, B., Mauborgne, L., Ochoa, M.: Leakage resilience against concurrent cache attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 140–158. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642547928_8CrossRefGoogle Scholar
 9.Bayrak, A.G., Regazzoni, F., Novo, D., Ienne, P.: Sleuth: automated verification of software power analysis countermeasures. In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 293–310. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642403491_17CrossRefGoogle Scholar
 10.Bettale, L., Coron, J., Zeitoun, R.: Improved highorder conversion from boolean to arithmetic masking. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 22–45 (2018)Google Scholar
 11.Bhasin, S., Carlet, C., Guilley, S.: Theory of masking with codewords in hardware: lowweight dthorder correlationimmune boolean functions. IACR Cryptology ePrint Archive 2013:303 (2013)Google Scholar
 12.Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259CrossRefGoogle Scholar
 13.Biondi, F., Enescu, M.A., Heuser, A., Legay, A., Meel, K.S., Quilbeuf, J.: Scalable approximation of quantitative information flow in programs. In: Dillig, I., Palsberg, J. (eds.) VMCAI 2018. LNCS, vol. 10747, pp. 71–93. Springer, Cham (2018). https://doi.org/10.1007/9783319737218_4CrossRefGoogle Scholar
 14.Bisi, E., Melzani, F., Zaccaria, V.: Symbolic analysis of higherorder side channel countermeasures. IEEE Trans. Comput. 66(6), 1099–1105 (2017)MathSciNetCrossRefGoogle Scholar
 15.Bloem, R., Gross, H., Iusupov, R., Könighofer, B., Mangard, S., Winter, J.: Formal verification of masked hardware implementations in the presence of glitches. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, Part II, vol. 10821, pp. 321–353. Springer, Cham (2018). https://doi.org/10.1007/9783319783758_11CrossRefzbMATHGoogle Scholar
 16.Breier, J., Hou, X., Liu, Y.: Fault attacks made easy: differential fault analysis automation on assembly code. Cryptology ePrint Archive, Report 2017/829 (2017). https://eprint.iacr.org/2017/829
 17.Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract poweranalysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_26CrossRefGoogle Scholar
 18.Coron, J.S.: Highorder conversion from boolean to arithmetic masking. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 93–114. Springer, Cham (2017). https://doi.org/10.1007/9783319667874_5CrossRefGoogle Scholar
 19.Coron, J.S.: Formal verification of sidechannel countermeasures via elementary circuit transformations. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 65–82. Springer, Cham (2018). https://doi.org/10.1007/9783319933870_4CrossRefGoogle Scholar
 20.Coron, J.S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642299124_6CrossRefGoogle Scholar
 21.Coron, J.S., Großschädl, J., Vadnala, P.K.: Secure conversion between boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662447093_11CrossRefzbMATHGoogle Scholar
 22.Coron, J.S., Prouff, E., Rivain, M., Roche, T.: Higherorder side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662439333_21CrossRefGoogle Scholar
 23.de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24CrossRefGoogle Scholar
 24.Eldib, H., Wang, C., Schaumont, P.: Formal verification of software countermeasures against sidechannel attacks. ACM Trans. Softw. Eng. Methodol. 24(2), 11 (2014)CrossRefGoogle Scholar
 25.Eldib, H., Wang, C., Schaumont, P.: SMTbased verification of software countermeasures against sidechannel attacks. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 62–77. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642548628_5CrossRefGoogle Scholar
 26.Eldib, H., Wang, C., Taha, M., Schaumont, P.: QMS: evaluating the sidechannel resistance of masked software from source code. In: ACM/IEEE Design Automation Conference, vol. 209, pp. 1–6 (2014)Google Scholar
 27.Eldib, H., Wang, C., Taha, M.M.I., Schaumont, P.: Quantitative masking strength: quantifying the power sidechannel resistance of software code. IEEE Trans. CAD Integr. Circ. Syst. 34(10), 1558–1568 (2015)CrossRefGoogle Scholar
 28.Eldib, H., Wu, M., Wang, C.: Synthesis of faultattack countermeasures for cryptographic circuits. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, Part II, vol. 9780, pp. 343–363. Springer, Cham (2016). https://doi.org/10.1007/9783319415406_19CrossRefGoogle Scholar
 29.Faust, S., Grosso, V., Pozo, S.M.D., Paglialonga, C., Standaert, F.: Composable masking schemes in the presence of physical defaults and the robust probing model. IACR Cryptology ePrint Archive 2017:711 (2017)Google Scholar
 30.Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). https://doi.org/10.1007/3540447091_2CrossRefGoogle Scholar
 31.Guo, S., Wu, M., Wang, C.: Adversarial symbolic execution for detecting concurrencyrelated cache timing leaks. In: Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, pp. 377–388 (2018)Google Scholar
 32.Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464_27CrossRefGoogle Scholar
 33.Kocher, P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3540686975_9CrossRefGoogle Scholar
 34.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_25CrossRefGoogle Scholar
 35.Malacaria, P., Heusser, J.: Information theory and security: quantitative information flow. In: Aldini, A., Bernardo, M., Di Pierro, A., Wiklicky, H. (eds.) SFM 2010. LNCS, vol. 6154, pp. 87–134. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642136788_3CrossRefzbMATHGoogle Scholar
 36.Malacaria, P., Khouzani, M.H.R., Pasareanu, C.S., Phan, Q., Luckow, K.S.: Symbolic sidechannel analysis for probabilistic programs. In: Proceedings of the 31st IEEE Computer Security Foundations Symposium (CSF), pp. 313–327 (2018)Google Scholar
 37.Moradi, A., Barenghi, A., Kasper, T., Paar, C.: On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx virtexii fpgas. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 111–124 (2011)Google Scholar
 38.Moss, A., Oswald, E., Page, D., Tunstall, M.: Compiler assisted masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 58–75. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642330278_4CrossRefGoogle Scholar
 39.Niemetz, A., Preiner, M., Biere, A.: Boolector 2.0 system description. J. Satisf. Boolean Model. Comput. 9, 53–58 (2014). (published 2015)Google Scholar
 40.Ouahma, I.B.E., Meunier, Q., Heydemann, K., Encrenaz, E.: Symbolic approach for sidechannel resistance analysis of masked assembly codes. In: Security Proofs for Embedded Systems (2017)Google Scholar
 41.Pasareanu, C.S., Phan, Q., Malacaria, P.: Multirun sidechannel analysis using symbolic execution and MaxSMT. In: Proceedings of the IEEE 29th Computer Security Foundations Symposium (CSF), pp. 387–400 (2016)Google Scholar
 42.Phan, Q., Bang, L., Pasareanu, C.S., Malacaria, P., Bultan, T.: Synthesis of adaptive sidechannel attacks. In: Proceedings of the 30th IEEE Computer Security Foundations Symposium (CSF), pp. 328–342 (2017)Google Scholar
 43.Phan, Q., Malacaria, P.: Abstract model counting: a novel approach for quantification of information leaks. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 283–292 (2014)Google Scholar
 44.Phan, Q., Malacaria, P., Pasareanu, C.S., d’Amorim, M.: Quantifying information leaks using reliability analysis. In: Proceedings of 2014 International Symposium on Model Checking of Software (SPIN), pp. 105–108 (2014)Google Scholar
 45.Prouff, E., Rivain, M.: Masking against sidechannel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642383489_9CrossRefGoogle Scholar
 46.Quisquater, J.J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and countermeasures for smart cards. In: Attali, I., Jensen, T. (eds.) Esmart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001). https://doi.org/10.1007/3540454187_17CrossRefzbMATHGoogle Scholar
 47.Rivain, M., Prouff, E.: Provably secure higherorder masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642150319_28CrossRefGoogle Scholar
 48.Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CTRSA 2006. LNCS, vol. 3860, pp. 208–225. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_14CrossRefGoogle Scholar
 49.Val, C.G., Enescu, M.A., Bayless, S., Aiello, W., Hu, A.J.: Precisely measuring quantitative information flow: 10k lines of code and beyond. In: Proceedings of IEEE European Symposium on Security and Privacy (EuroS&P), pp. 31–46 (2016)Google Scholar
 50.Zhang, J., Gao, P., Song, F., Wang, C.: SCInfer: refinementbased verification of software countermeasures against sidechannel attacks. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, Part II, vol. 10982, pp. 157–177. Springer, Cham (2018). https://doi.org/10.1007/9783319961422_12CrossRefGoogle Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.